siyuan
Enables users to manage and interact with a self-hosted knowledge base using the SiYuan Note API via curl commands.
Install this skill
Security score
The siyuan skill was audited on Jun 11, 2026 and we found 59 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 33 | 3. Store it in `${HERMES_HOME:-~/.hermes}/.env`: |
Template literal with variable interpolation in command context
| 44 | ```bash |
Template literal with variable interpolation in command context
| 85 | ```bash |
Template literal with variable interpolation in command context
| 96 | ```bash |
Template literal with variable interpolation in command context
| 109 | ```bash |
Template literal with variable interpolation in command context
| 118 | ```bash |
Template literal with variable interpolation in command context
| 127 | ```bash |
Template literal with variable interpolation in command context
| 136 | ```bash |
Template literal with variable interpolation in command context
| 145 | ```bash |
Template literal with variable interpolation in command context
| 154 | ```bash |
Template literal with variable interpolation in command context
| 163 | ```bash |
Template literal with variable interpolation in command context
| 176 | ```bash |
Template literal with variable interpolation in command context
| 185 | ```bash |
Template literal with variable interpolation in command context
| 200 | ```bash |
Template literal with variable interpolation in command context
| 213 | ```bash |
Template literal with variable interpolation in command context
| 224 | ```bash |
Template literal with variable interpolation in command context
| 239 | ```bash |
Template literal with variable interpolation in command context
| 251 | ```bash |
Curl to non-GitHub URL
| 45 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/..." \ |
Curl to non-GitHub URL
| 86 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/search/fullTextSearchBlock" \ |
Curl to non-GitHub URL
| 97 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/query/sql" \ |
Curl to non-GitHub URL
| 110 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/block/getBlockKramdown" \ |
Curl to non-GitHub URL
| 119 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/block/getChildBlocks" \ |
Curl to non-GitHub URL
| 128 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/filetree/getHPathByID" \ |
Curl to non-GitHub URL
| 137 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/attr/getBlockAttrs" \ |
Curl to non-GitHub URL
| 146 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/notebook/lsNotebooks" \ |
Curl to non-GitHub URL
| 155 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/filetree/listDocsByPath" \ |
Curl to non-GitHub URL
| 164 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/filetree/createDocWithMd" \ |
Curl to non-GitHub URL
| 177 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/notebook/createNotebook" \ |
Curl to non-GitHub URL
| 186 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/block/appendBlock" \ |
Curl to non-GitHub URL
| 201 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/block/updateBlock" \ |
Curl to non-GitHub URL
| 214 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/filetree/renameDocByID" \ |
Curl to non-GitHub URL
| 225 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/attr/setBlockAttrs" \ |
Curl to non-GitHub URL
| 240 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/block/deleteBlock" \ |
Curl to non-GitHub URL
| 252 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/export/exportMdContent" \ |
Access to hidden dotfiles in home directory
| 33 | 3. Store it in `${HERMES_HOME:-~/.hermes}/.env`: |
Access to hidden dotfiles in home directory
| 290 | # In ~/.hermes/config.yaml under mcp_servers: |
Access to .env file
| 33 | 3. Store it in `${HERMES_HOME:-~/.hermes}/.env`: |
External URL reference
| 21 | prompt: SiYuan instance URL (default http://127.0.0.1:6806) |
External URL reference
| 36 | SIYUAN_URL=http://127.0.0.1:6806 |
External URL reference
| 38 | `SIYUAN_URL` defaults to `http://127.0.0.1:6806` if not set. |
External URL reference
| 45 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/..." \ |
External URL reference
| 86 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/search/fullTextSearchBlock" \ |
External URL reference
| 97 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/query/sql" \ |
External URL reference
| 110 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/block/getBlockKramdown" \ |
External URL reference
| 119 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/block/getChildBlocks" \ |
External URL reference
| 128 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/filetree/getHPathByID" \ |
External URL reference
| 137 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/attr/getBlockAttrs" \ |
External URL reference
| 146 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/notebook/lsNotebooks" \ |
External URL reference
| 155 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/filetree/listDocsByPath" \ |
External URL reference
| 164 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/filetree/createDocWithMd" \ |
External URL reference
| 177 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/notebook/createNotebook" \ |
External URL reference
| 186 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/block/appendBlock" \ |
External URL reference
| 201 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/block/updateBlock" \ |
External URL reference
| 214 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/filetree/renameDocByID" \ |
External URL reference
| 225 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/attr/setBlockAttrs" \ |
External URL reference
| 240 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/block/deleteBlock" \ |
External URL reference
| 252 | curl -s -X POST "${SIYUAN_URL:-http://127.0.0.1:6806}/api/export/exportMdContent" \ |
External URL reference
| 297 | SIYUAN_URL: "http://127.0.0.1:6806" |